Access Restriction Bypass

Affecting xmlhttprequest-ssl package, versions <1.6.1

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

xmlhttprequest-ssl is a fork of xmlhttprequest.

Affected versions of this package are vulnerable to Access Restriction Bypass. The package disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.

PoC

const XMLHttpRequest = require('xmlhttprequest-ssl');

var xhr = new XMLHttpRequest();        /* pass empty object in version 1.5.4 to work around bug */

xhr.open("GET", "https://self-signed.badssl.com/");
xhr.addEventListener('readystatechange', () => console.log('ready state:', xhr.status));
xhr.addEventListener('loadend', loadend);

function loadend()
{
  console.log('loadend:', xhr);
  if (xhr.status === 0 && xhr.statusText.code === 'DEPTH_ZERO_SELF_SIGNED_CERT')
    console.log('test passed: self-signed cert rejected');
  else
    console.log('*** test failed: self-signed cert used to retrieve content');
}

xhr.send();

Remediation

Upgrade xmlhttprequest-ssl to version 1.6.1 or higher.

References

CVSS Score

7.3
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P
Credit
Wes Garland
CVE
CVE-2021-31597
CWE
CWE-284
Snyk ID
SNYK-JS-XMLHTTPREQUESTSSL-1255647
Disclosed
21 Apr, 2021
Published
26 Apr, 2021